[Pdns-users] Only REFUSED responses after upgrade.

Tue May 28 18:25:09 UTC 2019

Hello all,

(This may be a duplicate, but probably not, as I realized I sent it the 
first time before I confirmed my subscription to the mailing list....)

I have a private DNS server on PowerDNS that is used for a remote 
support network.
It's not publicly accessible, and uses a domain name (remote.local) that 
can't be Internet routed.
It uses the gMySQL backend to MySQL on a different host, with a script 
that parses an OpenVPN status file and updates the DNS records as 
required.
This part isn't the issue, and works just fine.

This DNS server has been running on Debian 7 Wheezy for years without 
issue.
Debian 7.11 packaged PowerDNS 2.9.22.
Since Debian 7 is well out of support, I wanted to update this server to 
a supported version.
I upgraded to Debian 8 Jessie, which uses PowerDNS 3.4.1.
Immediately all DNS queries to this server started returning REFUSED.  
At first I thought it wasn't connecting to the database, as the host 
command returned nothing at all.  The startup log info for pdns-server, 
though, clearly shows the database connection is made successfully.

Dig, however, returns a REFUSED status for every query given, even if 
queried from the DNS server itself.
It doesn't matter if it's a domain that pdns is supposed to be 
authoritative for, or not.
One thing I did note was that every dig query said
# WARNING: Recursion requested but not available.

I assumed my issue was a new security feature, so did a bunch of 
Googling.
As a result, I've tried setting the 'allow-recursion' directive to my 
entire class B network (172.16.0.0/16).
Now the recursion warning has disappeared, but it still has a REFUSED 
status for the queries.

master is enabled in the configuration, along with the webserver, but 
I'm pretty sure there are no other changes.
I can post the entire configuration if necessary.

The webserver stats interface says that all queries are for domains that 
pdns is _not_ authoritative for, even though the zone type is set to 
'master' in the database for my remote.local domain.

I tried setting up a test PowerDNS server on an OrangePi I've been 
playing with, and got it working, on Debian 9 (PowerDNS 4.0.3), but with 
a local MySQL server, rather than another host.
At this point I figured there may be a bug in something in Debian 8, so 
I upgraded the DNS server to Debian 9, too.
Still no dice.
I've compared the configurations of the two, and can't find any 
difference between the OrangePi and the live DNS server, other than the 
obvious MySQL host changes, and the fact that it's running on ARM, 
rather than x86.
I even tried copying the entire configuration from the functional ARM 
one to the broken x86 one, with the exception of the gmysql backend 
configuration, and it _still_ fails with the same REFUSED.

Incidentally, it's running on a VirtualBox VM on top of another Debian 
7.11 host that I'm also going to upgrade.  I don't think that should 
make a difference, but figured I'd add it.

I've read a bunch of documentation on powerdns.com, and a number of 
Google searches on variations of "powerdns refused all queries" and 
haven't found anything that I haven't already tried.

Am I missing something small and stupid that needs to be done during the 
upgrade from 2.x to 3.x?

Now, just before I sent this, I reconfigured the functional ARM machine 
to use the off-host database server that my live PDNS server is using, 
and now it's returning REFUSED for every query.
The DB server is also still running Debian 7.11, so it's on my schedule 
to update.  Is this a database problem, or is there a bug in the gmysql 
backend in 3.x+ that breaks queryies to remote hosts?

Thanks in advance,
Chris